Security arrangement, method and apparatus for repelling computer viruses and isolating data

ABSTRACT

A security system, method and apparatus for repelling computer viruses and isolating data. The security system includes sub-systems  1 - 3 , which sub-system  1  includes an addition to anti-virus software those programs of sub-system  3  that may cause the activation of a virus. Sub-system  2  functions as a intermediate stage between sub-systems  1  and  3 . In the presented method, actions are taken to activate a virus and to detect virus activation. In connection with virus activation the security system or its part can be separated from the rest of the system and thereby limit damages. When the security system is placed between two systems, it can also be used to isolate the two systems mentioned above from each other with regard to direct, real-time data transfer. The apparatus is adapted to receive a message from another apparatus and to examine the message in order to activate and to detect unknown viruses.

The invention relates to computers, information networks andcommunication systems, and in particular to the repelling of viruses inthese.

Viruses appearing in computers are pieces of programs the main purposeof which is to propagate. Many viruses cause in addition, eitherintentionally or unintentionally, damage to the host computers in whichthey have become activated. Viruses may make themselves known bydisplaying messages on the computer's screen or by destroying files. Avirus is typically attached to one or more files and will become activeonce the said file is opened or, when the file is a program, once theprogram is launched. After becoming active, the virus may attach itselfto other files, make itself apparent to the computer's user or causedamage, inter alia, by destroying contents of the working storage or themass storage. Before the age of the Internet, viruses were typicallyspread from one piece of hardware to another by means of disks.Nowadays, the most common sources for contamination are the loading ofinfected files from the Internet or the opening of e-mail messagescarrying viruses. Huge information networks such as the Internet areexcellent environments for the extensive spreading of viruses, astracking down the original spreader is difficult due to the dynamicnature of the network and partially because the network protects theanonymity of its users; on the other hand, there are virtually countlesspotential catchers of viruses around the world.

Virus being a rather generally applied term, one can divide it intosubcategories such as worms and trojan horses. Worms are programs thatare able to propagate independently from any action taken by the userfavourable for a virus and usually required by traditional viruses inorder to become active. Worms use, for example, features enabling theautomatic sending and/or receiving of files integrated into moderncomputers and computer systems. The term “trojan horse” is based on thearchetypal deception carried out in ancient Greece and is an indicationof the treacherous nature of the program given the same name. A trojanhorse is a program most of the time disguised as something else, aprogram with either a useful or an entertaining purpose. A trojan horsecan also carry features of traditional viruses or worms. In addition tocommon files, some viruses can attach themselves to the boot sector ofthe mass storage of a computer on the hard disk or a diskette. Theseviruses are typically activated immediately after turning on thecomputer or when reading the contents of a diskette. Viruses may, on theother hand, make themselves remain undetected by observing system callsrun in a computer and dealing, for example, with memory blocks of massstorage, and restore the caller application with the original savedcontents of the memory blocks, instead of the current data altered bythe virus.

One can protect oneself from traditional viruses, worms, trojan horsesas well as their combinations by using a wide variety of differentmethods. Most of the time, anti-virus programs installed in computersare run constantly as so-called background processes and they are placedin connection with the starting of the computer at least partially inthe working storage to control the data transfer between the informationnetwork and the computer connected thereto, the computer's own internaloperations and the contents of the mass storage, at least indirectly.The internal operations of a computer pertain, for example, to thehandling of memory and files and to the controlling of peripheralequipment. Anti-virus programs usually contain a database of suchfeatures of known viruses, so-called fingerprints, that arecharacteristic of each virus or type of virus. When a new file, forexample a program, is saved in the computer's working storage, theanti-virus software in the computer's memory will perform a searchcomparing the features of known viruses to the information contained inthe said file.

Important files can be protected separately by using, for example, CRCs(Cyclic Redundancy Checks) or so-called hash checks. If the check run inthe file is not consistent with the original, a virus has possiblyattached itself to the file and has altered the information containedtherein.

The database of classic anti-virus software must always be updated tocontain the characteristics of a new virus before the virus can bereliably detected and identified. So-called polymorphic viruses cantransform themselves in connection with their copying, and thereforethey are particularly difficult to detect using traditional anti-virusprograms. The mutations of a polymorphic virus may contain the sameactions realized by different series of commands, thus maintaining thefunction of the virus, however, anti-virus programs based on fingerprints can no longer reliably identify different variations as viruses.On the other hand, even if all possible types of virus and theirmutations could be identified, the space required to store thecharacteristics and correspondingly the time to locate these would soonescalate to an unreasonable level.

The publication U.S. Pat. No. 5,889,943 presents a system where a closednetwork is connected to an external network by a gateway. This gatewaywill examine all messages coming in by the external network as well asmessages leaving through it to prevent possible virus infections. Theinternal traffic is not examined. The publication furthermore presents aseparate apparatus to be installed in the user's computer. The apparatusincludes a polling module to detect new messages in the network's commonpostal node, a retrieval module to receive messages from the postal nodeand an analysis/treatment module to detect viruses in messages.

The publication U.S. 2002/0095607 presents an apparatus to be installedbetween the actual core part of a personal computer and an external datanetwork. The apparatus includes a so-called ghost address book withghost addresses. When a virus tries to take control of the address bookin order to send itself to all addresses listed, the action is detectedand an alarm is given.

The objective of the Invention is to avoid the afore-mentionedweaknesses present in traditional anti-virus methods and systems withthe help of a new security system, a method applied therein and a newapparatus.

A security system protecting computers and computer networks fromviruses, as covered by the Invention, which security system is adaptedto forward messages is charaterized in that it includes a firstsub-system to detect unknown viruses, which sub-system is adapted totake at least one action to activate unknown viruses in connection withthe forwarding of messages or other action, or in a timed manner.

The Invention further covers a security system for repelling viruses incomputers and data networks, which security system is adapted to forwardmessages, for which security system is characteristic that it includes afirst sub-system for detecting unknown viruses, which first sub-systemis adapted to compare messages with at least partially same identifierswith each other in order to detect unknown viruses.

In addition to the above, the Invention covers a method for protectingcomputers and computer networks from viruses, which method ischaracterized in that it is performed in a system including a firstsub-system to forward messages and to detect viruses, which firstsub-system can be isolated in respect of information transfer from theother system, which method includes stages where:

-   -   the actions of the system are monitored in order to detect        viruses,    -   a virus is detected when at least one of the following        conditions is met: a change takes place in the first sub-system        prior to actions causing changes carried out by the        first-mentioned sub-system, a change takes place in the first        sub-system that is not an action taken by the said sub-system to        detect a virus, a message leaves for another system without        command from the first sub-system, a message leaves for another        system to a wrong address or to a system which no communication        has been directed to, a message does not leave for another        system although it has been sent there,    -   an alarm is given.

In addition to the above, the Invention covers a method for repellingviruses in computers and computer networks, which method ischaracterized in that it has stages where:

-   -   at least one action in the system is taken in connection with        the forwarding of messages or other action, or in a timed        manner, in order to activate a virus,    -   the actions of the system are monitored in order to detect an        occurrence initiated by virus activation,    -   an alarm is given when a virus is detected.

In addition to the above, the Invention covers an apparatus forrepelling viruses in computers and computer networks, which apparatusincludes equipment for saving and handling data and equipment fortransferring data with another apparatus, for which first-mentionedapparatus is characteristic that it is adapted to receive a message fromthe other apparatus mentioned and to perform at least one action inorder to activate viruses contained in the message.

In accordance with one preferred embodiment of the Invention, a securitysystem is established for repelling computer viruses, which systemincludes sub-systems 1-3. The sub-system 1 is a “porch” or “mudroom”that forwards communication between the external system and thesub-system 3, the so-called user system.

Messages arriving from outside the security system that are usuallydirected to users to the sub-system 3 are first sent from sub-system 1to the “entrance hall”, i.e. sub-system 2 from which they are laterdirected to sub-system 3. Sub-system 2 includes addresses correspondingwith each address of sub-system 3, for example, an IP address of acomputer or an e-mail address of a user, through which the messages areforwarded between sub-systems 1 and 3. Sub-system 1 has the informationhow the address data of sub-systems 2 and 3 can be combined with eachother in order to forward incoming messages conveniently to an addressin sub-system 2 corresponding with an address in sub-system 3. There isalso a secure connection from sub-system 1 to sub-systems 2 and 3.Messages from sub-system 3 to an external system can correspondingly berecycled through sub-systems 1 and 2 of the security system. Sub-system1 includes such programs and functions of sub-system 3 that a virusmight in some way make use of. In addition, sub-system 1 includes suchprograms and functions that are justifiable in order to locate a virus.Such programs may be, for example, anti-virus programs and programs thatmay help to activate a virus. If desired, even other programs andfunctions that are not part of sub-system 3 can be included insub-system 1 within the limits of its performance and memory capacity.Sub-systems 1-3 can, if needed, be added to (sub-)systems X, if so isdeemed necessary in respect to repelling viruses. If a virus is detectedin sub-system 1, a protection command is sent to sub-systems 2 and 3 viaa secure connection. When a virus is activated in sub-system 1 of thesecurity system, its damages will be limited to sub-systems 1-2,preventing or at least remarkably minimizing damages in sub-system 3 orin any other system connected to the security system to be protected, asit is possible for the sub-systems in relation to communication to beseparated from each other or any other system connected thereto, such asan external data network, for example, when a virus attack is detected.

In a network environment, the security system can be installedcentralized at a data receiving/forwarding point. As regards individualcomputers, including mobile phones and PDAs, the system can beimplemented as a service offered by an operator or a new type ofcomputer including a number of systems (sub-systems 1-3) in accordancewith the Invention. The security system does not necessarily require anyadditional equipment to be able to function, but it can in many cases beimplemented on a software basis in an existing system using its networkelements such as a server or a router, which network elements contain amemory, for example a RAM memory circuit, and a non-volatile memory suchas a hard disk to save data, for example a computer program, as well asa processor to carry out the functions defined by the said program.

In accordance with another preferred embodiment of the Invention,sub-system 2 is left out of the implementation of the security system,if one can guarantee the arrival of a protection command at sub-system 3prior to other messages possibly infected by a virus. In that case onewould still achieve a high level of protection from virus attacks andthe system would be simpler in its overall structure than the formerembodiment, also enabling lower hardware requirements than before.

In accordance with a further preferred embodiment of the Invention, asecurity system is established in order to isolate data between twosystems. Files are transferred from an external system to an internalsystem, for example to sub-system 3, i.e. the user system, graduallythrough sub-systems 1 and 2. In order to isolate data between the user'ssub-system 3 and the external system, the connection between theexternal system and sub-system 1 is disrupted when the connectionbetween sub-systems 1 and 2 is open, and the connection betweensub-systems 1 and 2 is disrupted when the connection between sub-systems2 and 3 is open. One can proceed correspondingly when transferring datafrom the internal system to the external system. With the help of thepresented staggered communication between the sub-systems one can hinderunauthorized intrusions into the user's system.

Embodiments of the Invention are described in the dependent Patentclaims.

Hereinafter the Invention is described in more detail by reference tothe attached drawings.

FIG. 1 presents a security system in accordance with the first preferredembodiment of the Invention that is connected to an external system bymeans of a router, and the sub-system 3 of which includes threecomputers of users and an e-mail server,

FIGS. 2A and 2B present different sub-systems of a security system inaccordance with the Invention and the connections between them,

FIG. 3 presents a flow chart showing one implementation alternative foran anti-virus method to be performed in a security system in accordancewith the Invention,

FIG. 4 presents a security system in accordance with a second preferredembodiment of the Invention, where sub-system 2 is left out of theimplementation of the security system,

FIG. 5 presents a security system in accordance with a third preferredembodiment of the Invention for isolating data from the externalnetwork,

FIG. 6 presents an apparatus in accordance with the Invention andanother system connected thereto.

FIG. 1 presents the internal network of a small enterprise, a so-calledlocal area network, that functions at the same time as the user's systemand the third sub-system 3 of a security system in accordance with theInvention, including three computers 104, 106, 108 and an e-mail server102. Communication in the network takes place through HUB 112.Connections to an external system 114, for example a national datanetwork, has been adapted to go through router 110. Functions of server102 and router 110 can be carried out in the same computer, if desired.Sub-systems 1 and 2 of the security system are in this example situatedin connection with router 110, but from the point of view of theInvention, it is relevant that e-mail messages possibly infected by avirus cannot reach sub-system 3 or external system 114 before beingexamined at a suitable interface that can be separated from the localarea network, if needed. Therefore the security system can in a typicalcase be included in, for example, one or more separate computers betweenthe gateway of the external network and the internal network. Shouldthis, however, not be possible, one can by all means implement thesecurity system in each computer of the local area network separately.In the Internet, the duty of the Internet Protocol is to route the IPdata to the correct recipient. Usually, the databases of DNS (DomainName Service) servers contain special MX (Mail eXchanger) entries thatdefine for domain names their own mail servers which all messagesaddressed to the said names are directed to. One wants to make mailservers, for instance the general SMTP (Simple Mail TransferProtocol)/POP (Post Office Protocol) servers, as reliable as possible,and there may be several of them working in the same network area,prioritized in different ways in order to have messages saved in thesystem, even if the recipient was not immediately available. The DNSservice can in a network as presented in FIG. 1 be situated, forexample, in router 110 that directs mail communication arriving at localarea network 3 automatically to server 102. Further informationregarding the routing of messages in respect of the DNS system can befound, inter alia, in Reference [1]. A router can also include thefunctions of NAT (Network Address Translation) that help situate thecomputers of the internal data network in a different (type of) addressspace than used in the external network.

Server 102 and computers 104, 106, 108 are connected to an Ethernet typelocal area network by means of a different hub 112. Other possiblenetwork solutions are, inter alia, Token Ring, FDDI (Fiber-DistributedData Interface) and ATM (Asynchronous Transfer Mode). The cabling usedin a local area network, i.e. sub-system 3 of the security system, canbe, for instance, pair or coaxial cable. On the other hand, it ispossible to make use of wireless solutions such as WLAN (Wireless LAN)when connecting, for example, laptops, mobile phones or PDAs to thenetwork. Hub 112, including several ports for connecting computers, willsend by default the data received through one port to all other ports.The then established network topology is only apparentlystar-shaped/radial, as it remains all the same a logical bus; apparatusconnected to the bus will also detect messages sent by all others, ifdesired. The access mechanism in Ethernet networks is CSMA/CD (CarrierSense Multiple Access/Collision Detect) where the computer will firstlisten if the network is available and only then start sending the datain package form. Several computers can start sending at the same time,so the sender also has to listen to the bus during the transmission inorder to avoid possible collisions in the data transfer. When detectingcollisions, the sender is silent for a random period of time before anew transmission.

Within sub-system 3, the data is directed from a computer or anapparatus to another with the help of so-called MAC (Medium AccessControl) addresses and to/from an external network with the help of IPaddresses. Thus every apparatus connected to an network has its own MACand IP address. ARP (Address Resolution Protocol) enables theidentification of a MAC address corresponding with an IP address in alocal area network. An address query is sent to the network without anydefined recipient, but router 110 does not forward the query to theoutside from the local area network, in this case sub-system 3. Theapparatus identifying the IP address in question responds directly tothe sender of the query. After having learned the searched IP-MACequivalence, the sender of the query enters it in its ARP table and canthus in the future send the data frame directly to the recipient withoutany queries. When sending out data from sub-system 3, it must first betransferred to router 110 that will take care of the data transfer withthe outside world. If the sender detects that data is being directedoutside of the local area network, it may direct communication directlyto router 110 the LAN address of which is known by the sender. Otherwisethe apparatus will broadcast an ARP message inquiring what LAN addresscorresponds with the IP address of the recipient of the package. Router110 detects that the recipient of the package is located outsidesub-system 3 and responds to the query with its own LAN address.Thereafter, the sender forwards the message to router 110. Outside thelocal area network, for example in a wide area network, the routing ofmessages is usually based on using some internal routing protocol, suchas RIP (Routing Information Protocol) and OSPF (Open Shortest PathFirst). Between autonomous areas, for example network operators orcompanies in different countries, so-called external routing protocolsare used, for example BGP (Border Gateway Protocol), as in that case,the route is chosen not only on the basis of efficiency, but even otherfactors affect the choice: for instance, political, financial orsecurity factors limit the choice of eligible routes. The limitationsmentioned above, along with routing definition, is usually enteredmanually into the routers. Further information regarding communicationnetworks, particularly on system level, can be obtained from Reference[2].

FIG. 2A represents the forwarding of a message from the external system114 to sub-system 3 from the point of view of different components ofthe security system. Situated in connection with router 110, yetconveniently separate in its functions, sub-system 1 receives allcommunication between the external network and sub-system 3 that is tobe forwarded. The mail book of sub-system 1, which can be realized, forexample, as a table to be saved in the memory, has identifiers locatedin sub-system 2 corresponding with each identifier of the apparatus ofsub-system 3, being, for example, network addresses or host addresses.When sub-system 1 receives a new message 202, it is temporarily saved,for example, in the RAM (Random Access Memory), and message 202 is nothandled, opened or in any way changed before the actual stage ofactivating viruses. Sub-system 1 includes by default hardware compatiblewith sub-system 3, nowadays typically a personal computer with, forexample, MSDOS (Microsoft Disk Operating System)/Windows operatingsystem. Although router 110 may have memory capacity in itself and itsprocessor may have computational capacity to run the presentedanti-virus method to its full extent, even separate hardware can be usedin implementing the security system, locating it, for example, betweenthe router and the hub. In such a case, a possible virus activationwould not necessarily have as disastrous an effect on the function ofthe router and the messages contained therein as in a completelyintegrated router/security system solution. Even sub-system 2 can beseparated from sub-system 1 into its own hardware. Next, in sub-system 1a search is conducted in order to detect viruses having attachedthemselves to message 202. If a virus is detected, an alarm is given,i.e. a protection command 204 is sent to sub-systems 2 and 3.Alternatively, if the virus is of a known type and can reliably beremoved by the security system from the contaminated message, thesecurity system can continue its normal activities, however, saving dataregarding the virus detection and the corrective measures taken, forexample, in a special log file. The clean message is forwarded throughsub-system 2 to its recipient in sub-system 3.

Sub-systems 1 and 2 can be connected with system X, for example,sub-system 210, i.e. a “dumping ground”, where, once a protectioncommand arrives, the message causing the alarm is saved along with, forinstance, other messages and files in sub-system 2 at that time forfurther examination. Then, provided that the conditions for securefunctioning of the security system still prevail, sub-systems 1 and 2can almost with no delay continue their normal activities, while theconnected system 210 will take care of the actual virus analysis. As onecondition for secure functioning can be defined, for example, there-starting of sub-systems 1 and 2 and/or the emptying of their workingstorage.

FIG. 2B correspondingly presents the forwarding of a message from thelocal area network, i.e. from sub-system 3 of the security system to anexternal system 114. If a virus is detected in a message 206 sent fromsub-system 3, a protection command 208 is immediately sent tosub-systems 1 and 2. The sub-systems 1 and 2 of receiving and sendingdirection as shown in FIGS. 2A and 2B contain functions similar in theirlogic, and they can be physically located in either common or separatehardware, whichever is desired. If the implemented solution is based onat least partially common hardware, the protection commands should beconveniently forwarded to sub-systems 2 and 3 of both data transferdirections, so that communication is disrupted in both directions aswell. One can thus ensure that viruses cannot link back to theirdirection of arrival and thereby possibly contaminate further computers.

FIG. 3 presents a flow chart showing one preferred embodiment of ananti-virus method carried out in sub-system 1 of the security system inaccordance with the Invention. The actions of sub-system 1 are, as faras resources, for example the computational capacity, allow, constantlymonitored 302, and not only when a message is received 304 from anexternal system 114 or sub-system 3. Sometimes it may be necessary toset a limit to the maximum duration of the virus search that must not beexceeded. The maximum search time allowed by the limit, that on its partdefines the maximum delay caused to communication by the anti-virusmethod being presented and possibly mentioned in the specifications ofthe system, must on the average reliably detect messages contaminated bya virus, but in exceptional cases, the seave of the security system maylet pass such messages that are contaminated by viruses the activationmanner of which is unknown or by viruses that are otherwise unknown.Even if that happens, in some cases it is possible to protect oneselffrom additional damage or minimize the damages, if the virus has at somepoint been detected to begin with, despite having been able to intrudeinto the user's system. The monitoring of the security system is dealtwith further on in greater detail, in connection with the description ofthe virus activation trials. Should the monitoring reveal a virus 303,an alarm is given and protection command 316 is sent.

The first step in a virus search is to search the message to beforwarded for viruses, using the means 306 of traditional anti-virusprograms, looking for known viruses. For this purpose, one can use, forexample, a database including finger prints of viruses. If the firststep reveals a virus infection 308, sub-system 1 sends a protectioncommand 316 to sub-systems 2 and 3. Otherwise, the search proceeds tothe second step where one tries to activate 310 an unknown virus andthereby reveal itself. The security system goes through, for instance,all known virus activation types, and it possibly combines them takingplace simultaneously or consecutively. New types of virus activationcan, on the other hand, be added to the system whenever they come toone's attention. New types of virus activation detected by the securitysystem can also be programmed to be automatically saved in its virusdatabase. The security system is monitored in order to detect 311unusual and thus actions possibly taken or indirectly caused by viruses.The activation of a virus in the security system is in principal to bepreferred to its activation in the user's system, as the security systemcan after the virus activation be quickly isolated and does not, on theother hand, contain any relevant data in itself—at the most, a couple ofunforwarded messages still located in the security system. Most of thetime, messages sent via communication networks are saved in the sender'smailbox, in which case it is usually possible with no greater problemsto re-send messages that have been destroyed during forwarding as aresult of virus activation. From the point of view of conducting asearch, the types of virus activation can be divided into two maingroups: known and unknown types of activation. If the activation of avirus is detected 312, an alarm is given and protection command 316 issent; otherwise, the message is forwarded 314 normally via sub-system 2.

Known types of virus activation include time-bound activations. A virusmaking use of time may become active when visiting the system, forexample, for the third time, the date being 10 Sep. 2002. In order todetect this type of virus, one can, inter alia, run the time data, theso-called clock of the system, forward and backward, while this time runhas possibly got to be carried out several times to ensure that theactivation date is passed a sufficient number of times. The number ofruns carried out by the security system must be rather high, changeableor at least in some way definable by the user, so that certaintime-bound viruses may not, thanks to too low number of time runs alone,pass the searches on a regular basis. On the other hand, virusactivations tied to, for example, memory management can be sieved in thesame way with the help of multiple memory fill loops in which memorylocations are repeatedly checked out, for example, by writing pseudodata on them. Some viruses will activate when handling files in a massstorage such as the hard disk. The activation of this type of virusescan be facilitated by automatic data processing carried out by thesecurity system, for instance, by reading the pseudo data or writing onthem as well as by generating and deleting pseudo files. Also callingfunctions pertaining to file management, i.e. merely the partialsimulation of handling files may suffice to activate viruses. Inaddition to the manners mentioned above, even other methods to activateviruses are used, taking into consideration the characteristics of eachtype of virus activation.

It is possible that the activation of a virus is dependent on severaldifferent conditions being present, either simultaneously orconsecutively. The conditions for a virus to activate may, on the otherhand, change as the virus progresses from hardware to hardware.Nevertheless even then, one can by means of versatile and multipleactivation attempts minimize the probability of a virus passing throughthe security system. On the basis of a logic that is either programmedby the user, pre-programmed, for example, during the publication stageor that is at least partially a random control logic, the securitysystem can decide what activation methods shall be used, how many timesthey shall be repeated and how the activation methods shall be combined.In the method presented in FIG. 3, the stages 310 and 311 can thus berepeated in accordance with the above-mentioned logic before the messageis finally confirmed as virus-free and forwarded. If separate securitysystems are placed at a number of different spots in the communicationchain, the overall security level of the system will rise aftermultiple, independent checks to quite high a level.

In order to detect completely unknown viruses and their activationtypes, one can, on the other hand, try to predict possible newactivation types or use some particular method to detect consequences ofvirus contamination or activation. One method helping to detectanomalities in messages that are to be forwarded is based on themultiple sending of messages. In the method in question, the sender ofan e-mail will send at least two messages, A and B, which message B iseither an identical copy of message A, or at least a precise descriptionof the composition of message A. The comparison of messages A and B canbe made already at the sending end, in sub-system 1 of the securitysystem of the sending direction. Sub-system 1 is able to compare exactlythe right messages as messages A and B, using the known identificationtechnique. If, for example, the messages are in any case givenindividual IDs (IDentifiers), one can add the letters A and B to definethe different copies of the same message. As an identifier one can usealmost any usually distinctive part of the message, from the subjectfield and its contents to the payload or a part of it. If the comparisondoes not reveal any anomalities, i.e. the messages are either exceptidentifiers and possible exact sending time identical, or thedescription of message A by message B is fully correct, sub-system 1 ofthe security system of the sending direction at the sending end willforward message A and either file or delete message B. If anomalitiesare detected, these will cause a virus alarm, as the said anomaly may bedue to the attaching of a virus to either message. A simple technique toseparate a contaminated message from an unharmed one is based on there-sending of the message, where sub-system 1 requests the sender tore-send the message and once the message is received, compares it withprevious messages. In practice, one can realize this by having thesecurity system of the sending direction at the sending end inform thesecurity system of the receiving direction at the receiving end, whichcommunicate with each other as well, for example, by means of a messagesaying that the sender is asked to re-send the message. Thereafter thesecurity system of the receiving direction forwards the request to thesender who sends a new copy of the message. Alternatively, the securitysystem of the sending direction can comprise an own return channel tosub-system 3, for instance, to forward confirmation messages or requestsfor re-sending. If the security system is adapted to confirm to thesender all flawlessly received messages meant to be forwarded, theconfirmation may be left unsent deliberately, when the senderautomatically re-sends another copy of his message, now confirmed in theusual manner. When comparing copies of messages, one can conclude, forexample, from the increase of the file size which message or messages avirus is attached to.

The above-presented method based on the multiple sending of messages canequally be applied at the receiving end where from an external systemarrive at sub-system 1 of the security system of the receiving directionat least two messages that can be associated with each other with thehelp of their identifiers and that are compared with each other in orderto detect anomalities. If the external system does not automaticallysend or is not programmed to send numerous copies of the message, thesecurity system can, if desired, request the external system to re-senda message already received, using, for example, pre-programmed basicfunctions of the communication protocol such as, inter alia, the requestfor re-sending a message and the confirmation of the receipt of amessage, and thereby obtain several copies of the message for examining.The request for re-sending can be forwarded to the original sender ofthe message or, alternatively, for example, to the mail server of theexternal system that will forward the request to the sender or deliver apossible copy of the message saved in its memory to the security system.In the latter alternative, detecting a virus may basically be moredifficult, as the part carried out by the original sender of the copy iscompletely left out of the communication chain. The request forre-sending can be made cover only one part of all messages. For example,only messages with attached files would be examined by means of thecomparison, as it is attached files that most of the time act as thecarriers of viruses.

In the system presented above, the messages are created in the samesystem (the sender either in sub-system 3 or in an external system), soit is theoretically possible that all messages contain a virus and itappears in them in the same way. In such a case, comparing messages witheach other would not yield a result, if, for instance, they all bear thecontaminated attachment. To eliminate this risk, one can, if desired,build a security system where parallely to the sender, i.e. the controlunits (keyboard, mouse etc.) of sub-system 3 of the security system atthe sending end another system is connected with, for example,sub-system 1 of the security system of the sending direction, includingthe programs and the data of sub-system 3 in such a way that message Bis generated and saved in the parallel system in the same way as themessage is generated and saved, or at least savable in sub-systems 1-3,if desired. One alternative for sending control message B (A) tosub-system 1 is now that only message A(B) is sent and at least onecontrol message B(A) is saved in the sending and/or parallel system, andthen the system making the comparison, sub-system 1, will make thecomparison in the said sending/parallel system. Sub-system 1 can, forexample, be programmed to analyse message A in order to establish itscharacteristics and to connect itself to the parallel system in order tocompare the above-mentioned characteristics with the characteristics ofmessage B saved in the parallel system. If sub-system 1 is in itselfalso the parallel system, i.e. it saves message B already when it iscreated or at the latest when it is sent, and if it, on the other hand,receives message A normally, the comparison will be quite easy, theconnecting to a separate parallel system being unnecessary.

On the other hand, a parallel system can be connected at the sending endto the security system of the sending direction or, alternatively, toanother network element suitable for data communication in a way wherethe said parallel system will forward messages, either passing by orthrough the security system of the sending end. In that case, further onin the message chain, for example at the receiving end, the securitysystem of the receiving end compares the messages as described earlier,the difference to the solution for comparing messages presented aforebeing mainly that one of the messages originates from a parallel systemconnected to the sender's system, and not from the sender himself. Thesecurity system of the receiving end can, if necessary, request thesecurity system of the sending end to re-send a message or,alternatively, request the sender/parallel system to do so, eitherdirectly or indirectly via the security system.

In the monitoring of the security system one will focus, inter alia, onthe following particulars to detect viruses:

A change takes place in sub-system 1 before sub-system 1 has itselftaken any actions causing changes in order to reveal a virus,

-   -   a change takes place in sub-system 1 where it is not question        about an action taken by the sub-system to reveal a virus,    -   a message is sent to sub-system 2 or to another system without        any command from sub-system 1,    -   a message is sent to sub-system 2 or to another system, but to a        wrong address or to system X, if one is connected but to which        basically no communication has been directed to,    -   a message does not leave for sub-system 2 or other system,        although sub-system 1 has sent it there,    -   the monitoring software of the system detects an activated virus        on some other basis.

When sub-system 1 upon an alarm forwards a protection command 316 tosub-systems 2 and 3, the sub-systems 1-3 will disrupt their datatransfer connection, for example so that they can no longer receive orsend messages. What is relevant to the actions caused by the protectioncommand is that communication between sub-systems 1 and 2 and the user'ssystem no longer runs before the cause of the virus alarm has beenestablished and possibly contaminated files have been cleaned. Onesimple alternative to clean the security system is the re-installationof sub-systems 1 and 2, if desired, only after chosen files have beentransferred, either automatically or on the basis of the user's command,to sub-system 210 for later analysis. Possible downtime affectingcommunication between the external network and system to be protectedcaused by the virus alarm of the anti-virus system andprotection/analysis measures pertaining thereto can be minimized bytaking into use a back-up system, for example, a parallel securitysystem. If the virus can be analysed in sub-system 210, its “fingerprints” can later be sent to known security systems and to the server ofthe developer of the security system, for instance, to be added to avirus database being regularly delivered to clients, so that the virusin question can later be identified already at the first stage 306 ofthe virus search.

The protection command is conveniently sent to sub-systems 2 and 3 usinga separate and secure connection, even though a datalink shared withnormal communication is possible. It is important for the forwarding ofthe protection command that the command be sent as quickly and reliablyas possible to the recipient, and the protection command must reach therecipient, i.e. sub-system 2 or 3, before the virus manages to cause anydamage to the said systems or propagate. For instance, when acontaminated message arrives from an external system 114 to router 110,the protection command from sub-system 1 must reach sub-system 3 beforethe virus and the connection between sub-systems 2 and 3 has to be ableto be disrupted, so that the contaminated message is not forwarded tosub-system 3 at all. The connection can be disrupted, for example, onsoftware basis, by shutting down data transfer services in thesub-systems in question. If the user's system, sub-system 3, uses, forexample, traditional 10 Mbit/s Ethernet links, but hub 112 has therequired logic to handle 10<−>100 Mbit/s speed conversion and theprioritization of different links, sub-system 1 of the security systemplaced in in connection with router 110 be directly connected by a 100Mbit/s link to hub 112 being programmed to give the highest priority todata passing through the 100 Mbit/s link. In the equipment implementingthe security system, a particular form is defined for the protectioncommand, or at least a particular identifier helping receivers identifyit. Also, if the connection from the sender of the protection command toits recipient is separate, one can regard almost any data sent throughit to constitute sufficient grounds for disrupting the connection. Insuch a case, when a virus manages to get hold of the security system,sending own messages bearing viruses using the separate connection, theyas well will set off the alarm. High execution priorities must bedefined for the software and processes implementing the security system,covering all sub-systems 1-3, so that protection commands are sent andreceived with no delay, whether the protection command is forwarded viaa separate connection or not. Sub-system 2 may be set to deliberatelydelay the forwarding of messages, for example, by means of a parameterto be adjusted by the user, so that contaminated messages have withcertainty not been forwarded when a possible protection command arrives.On the other hand, it is possible to program hub 112 or other similarnode element of sub-system 3 to read the protection commands and todisrupt communication transferred through it. In that case, one wouldnot need to establish for each element of sub-system 3 a separateconnection to sub-system 1 or program a support for interpreting aprotection command.

In a further preferred embodiment of the Invention (see FIG. 4),sub-system 2 is left out of the security system, if the protectioncommand 402 reaches its recipient quicker than takes time for thecontaminated message to be sent and received. Sub-system 210 can stillbe left for the analysing of viruses. The quick transfer of theprotection command can be realized, for example, with the help of a fastseparate data connection. Also the high priority of processes pertainingto the handling of protection commands of the software of the securitysystem and slowing down other communication to a level lower than themaximum will increase the chances to detect viruses before theypropagate. On the other hand, the said slowing down can be linked to thevirus detection, for example, by sub-system 1 slowing down its owncommunication as defined upon detecting a virus, with sub-systems 2 and3 acting accordingly upon having received a protection command. In sucha case one achieves as high a level of protection against virus attacks,yet the system remains simple in its structure and enables lowerhardware requirements than the former embodiment.

FIG. 5 presents a further preferred embodiment of the Invention, wherethe security system according to the afore-presented first preferredembodiment of the Invention isolates the user's system, i.e. sub-system3, from the external system 114 to hinder unauthorized intrusionattempts. Data, for example files and messages, is transferred from theexternal system 114 to sub-system 3 through sub-systems 1 and 2. In theexample of the figure, sub-system 1 that does not have any simultaneousconnections to the external system and sub-system 2, has received amessage from the external system. Next, the connection between theexternal system 114 and sub-system 1 is disrupted before a connection isestablished between sub-systems 1 and 2 and the message is forwarded tosub-system 2 (see stage A of the figure). Thereafter, the connectionbetween sub-systems 1 and 2 is disrupted before a connection isestablished between sub-systems 2 and 3 and the message is forwarded tothe recipient in sub-system 3 (see stage B of the figure). Now also theconnection between external system 114 and sub-system 1 can be openedagain (cf. dashed line in the figure). Therefore, no real-timeconnection between the external system 114 and sub-system 3 exists andsub-system 3 is isolated. The disrupting of connections can be realized,for example, on software basis by shutting down data transfer servicesin sub-systems 1 and 2. Attempted attacks against sub-system 3 cannevertheless be based on, inter alia, hostile programs sent withmessages (cf. Trojan horses) that perform hidden actions such ascollecting of information in sub-system 3 or that try to interfere withits activities. Programs of this kind can, however, be detected by thevirus search and activation methods of sub-system 1 before they accesssub-system 3. A similar procedure can be followed, if desired, whentransferring data from sub-system 3 to the external system 114. Ofcourse, in both data transfer directions there are even otheralternatives for disrupting and establishing connections betweensub-systems and the external network guaranteeing staggered datatransfer, where no real-time connection between the external network andsub-system 3 can come into being at any stage. If the connections beingused are duplex, sub-system 1 of the receiving direction and sub-system2 of the sending direction, and on the other hand, sub-system 2 of thereceiving direction and sub-system 1 of the sending direction can beconveniently placed in each other's proximity.

In a further preferred embodiment of the Invention (see FIG. 6),apparatus 606 is connected to a network element such as the user'scomputer 602, router, switch, server 604 or hub, in order to activateand detect viruses. The link 608 can be realized, for example, with thehelp of a Ethernet type of link using a pair cable or wireless via aWLAN connection. Contrary to former embodiments, apparatus 606 does inthis case not forward messages, but at least a part of the messagessent, intended to be sent or received by network element 602, 604 istransferred to it for examination. If all messages are not regularlysent to the said apparatus 606, or, alternatively, apparatus 606 doesnot fetch them from network elements 602, 604 by itself, one can atleast program, for instance, a desired percentage of all messages to beforwarded to apparatus 606 for virus search, and the messages includedin this share can be chosen on the basis of different criteria. Onecriterion could be that messages with attachments are always examined.Apparatus 606 which could be, for example, a computer, includes to arelevant extent the same software as sub-system 1 of the security systempresented afore, in addition to which one can include, if needed,features of sub-system 2, either in the same or in at least partiallydetached sub-equipment. The identifiers, such as domain or host names ofthe actual recipients of messages to be examined obtained from networkelement 602, 604 can be preserved and communication to the saidrecipients be simulated by adding the identifiers either on softwarebasis or even in another manner to sub-equipment separated fromapparatus 606, which thus partially equals sub-system 2 of the securitysystem presented afore, functioning as an “interim storage” for messageswhere apparatus 606 can, as a test, forward messages it has received,but in this case does not actually forward the messages the waysub-system 2 does. Therefore, even methods to detect virus activationpertaining to the forwarding of messages can be used in theafore-mentioned apparatus 606.

The apparatus includes the necessary memory, for example a RAM memorycircuit 610 and a non-volative memory 612 such a a hard disk or diskettedrive for saving commands of programs, for example anti-virus software,and for handling files or the simulation of handling files, as well as aprocessor 614 for carrying out the commands mentioned. Apparatus 606receives a message from the network element 602, 604 connected theretoand searches the message for known and unknown viruses using techniquesmentioned earlier in this description, inter alia, the method in FIG. 3.For the duration of the message examination, other communication innetwork element 602, 604 connected to apparatus 606 can be interrupted,for example on a software basis, until apparatus 606 informs the saidnetwork elements 602, 604 that the message is clean, or alternatively,the virus search may be completely independent from the actualcommunication in the other system. Correspondingly, one can delay theforwarding of a message that is to be examined to the actual recipient,until the message has been confirmed to be virus-free by apparatus 606.Apparatus 606 can, on the other hand, be programmed to return theexamined message even in its entirety to network element 602, 604, inwhich case network element 602, 604 will forward the said examinedmessage as such, and the original, un-examined copy of the message isnot sent at all. Network element 602, 604 can alternatively beprogrammed to delete the original message immediately after a copy ofthe message has been sent to apparatus 606 for examining. Thus can therisk of an un-examined message travelling further be minimized.

Having detected a virus infection in a message that is to be forwarded,apparatus 606 saves the particulars of the occurrence in the memory 610,612, and if the connection between apparatus 606 and network element602, 604 is duplex, while the transfer directions may be separated fromeach other, it also conveniently informs the said network element 602,604 of the virus alarm by means of a message. In this embodiment, theInvention can easily be attached to another system already in use, asthe minimum requirement regarding the other system is only a datatransfer connection for forwarding the message besides its actual targetalso to apparatus 606 in accordance with the Invention. Furthermore, aperson skilled in the art can, using software, simply carry out acontrol logic on software basis for interrupting communication untilinformation from apparatus 606 concerning the message being clean hasbeen received, or corresponding functions in connection with a virusalarm.

The afore-presented security system, method and apparatus for repellingcomputer viruses and isolating data deal with a fundamental problemconcerning the data security of information systems and networks; howunknown viruses can be detected and their attacks resisted.Traditionally, a virus is detected only after becoming active in thetarget system, after which the virus is identified and the detectedfinger prints are added to the databases of anti-virus software. Thiskind of solution requires immediate action from a number of differentparties in order to elminate a more serious epidemy; the first detectorof the virus must instantly deliver the contaminated file or similaritem to the party responsible for updating the anti-virus software, theupdater must issue a new version of the database of the anti-virussoftware and deliver it to every user who in the end is supposed toupdate the database of his client application to correspond with theadditions made. It is obvious, that if one of the above-mentioned stagesof the action chain is omitted or it fails for some other reason, forexample due to damaged mail or data transfer connections, nothing willhinder the spreading of the virus. The proposed new solution initiallyuses a virus database to detect known viruses, but will then commenceactivation attempts and the general monitoring of the system to detectnew, still unknown viruses. If a virus is activated, the damages will belimited to the restorable security system and communication is disruptedto prevent the spreading of contaminated messages to the external or theinternal network. The reliability of performance of the system isincreased by forwarding the protection commands via separate, secureconnections. The security system monitors itself even when there are noactual messages to be forwarded, so that possibly undetected viruseswould be found as early a stage as possible. With the help of thesecurity system the user's system can be separated from the externalnetwork in order to hinder attempts to intrude.

The afore-presented embodiments of the Invention are only non-limitingexamples, and the final implementation of the Invention may thus varywithin the inventive idea covered by the Patent claims to be presentedfurther on in this application.

REFERENCES

-   [1] The Network Administrators' Guide, URL:    http://tldp.org/LDP/nag/, Olaf Kirch 1996-   [2] Computer Networks: A Systems Approach, Morgan Kaufmann, ISBN    1-55860-514-2 1999

1. A security system for repelling viruses in computers and computernetworks, which security system is adapted to forward messages,characterized in that the security system includes a first sub-system(1) to detect unknown viruses, which sub-system (1) is adapted inconnection with the forwarding of messages or with other action or, in atimed manner, to perform at least one action to activate unknownviruses.
 2. A security system in accordance with claim 1, characterizedin that it is adapted to forward an alarm caused by the detection of avirus to at least one system connected to the security system (2,3). 3.A security system in accordance with claim 1, characterized in that itis adapted to break the connection to at least one other system (2,3,114) on the basis of an alarm caused by the detection of a virus.
 4. Asecurity system in accordance with claim 1, characterized in that itadditionally includes a second sub-system (2) for forwarding messagesfrom the first sub-system (1) to at least one system (3, 210, 114)connected to the security system.
 5. A security system in accordancewith claim 1, characterized in that it additionally includes a thirdsub-system (3) that is adapted to break the connection to at least oneother sub-system (1,2) upon receiving an alarm.
 6. A security system inaccordance with claim 5, characterized in that the second sub-system (2)includes an identifier which corresponds identifier of the apparatus (3)of the third sub-system.
 7. A security system in accordance with claim1, characterized in that the first sub-system (1) is adapted to monitorits actions to detect viruses.
 8. A security system in accordance withclaim 2, characterized in that the alarm is a message or at least a partof a message that is forwarded to the recipient quicker than othercommunications.
 9. A security system in accordance with claim 5,characterized in that the third sub-system (3) includes at least onecomputer or one network element including a computer.
 10. A securitysystem in accordance with claim 2, characterized in that the alarm isforwarded via a separate connection.
 11. A security system in accordancewith claim 1, characterized in that the said action is one thefollowing: altering the time data, altering the contents of the memory,handling of files or at least its partial simulation.
 12. A securitysystem in accordance with claim 1, characterized in that it is adaptedto detect an activated virus when at least one of the followingconditions is met: a change takes place in the first sub-system (1)prior to actions causing changes carried out by the first-mentionedsub-system, a change takes place in the first sub-system (1) that is notan action taken by the said sub-system to detect a virus, a messageleaves for another system without command from the first sub-system (1),a message leaves for another system to a wrong address or to a systemwhich no communication has been directed to, a message does not leavefor another system although it has been sent there.
 13. A securitysystem in accordance with claim 1, characterized in that it is adaptedto combine activation measures of viruses to take place eithersimultaneously or consecutively in time.
 14. A security system inaccordance with claim 1, characterized in that it is adapted to chooseone or more of the following logics when trying to activate viruses: onedefined by the user, pre-programmed or at least partially random logic.15. A security system in accordance with claim 5, characterized in thatto it has been connected parallel with a third sub-system (3) a systemthat is adapted to save a message sent from the third sub-system (3).16. A security system in accordance with claim 15, characterized in thatthe first sub-system (1) is adapted to compare in a parallel system amessage sent from the third sub-system (3) to the first sub-system (1)and additionally saved in the parallel system in order to detect ananomaly caused by a virus.
 17. A security system in accordance withclaim 15, characterized in that the above-mentioned parallel system isadapted to forward a message saved by it.
 18. A security system inaccordance with claim 1, characterized in that it is adapted to examinemessages forwarded through it in order to detect known viruses.
 19. Asecurity system in accordance with claim 4, characterized in that inorder to isolate data between the first (114) and the second (3) system,it has been adapted to transfer data between the first (114) and thesecond (3) system through the first (1) and the second (2) sub-system,which security system is adapted to disrupt the connection between thefirst system (114) and the first (1) sub-system before a connection isestablished between the first (1) and the second (2) sub-system, and isadapted to disrupt the connection between the first (1) and the second(2) sub-system before a connection is established between the secondsub-system (2) and the second system (3).
 20. A security system forrepelling viruses in computers and computer networks, which securitysystem is adapted to forward messages, characterized in that thesecurity system includes a first sub-system (1) for detecting unknownviruses, which first sub-system (1) is adapted to compare messages withat least partially identical identifiers with each other in order todetect unknown viruses.
 21. A security system in accordance with claim20, characterized in that it is adapted to request the sender of theabove-mentioned messages with the same identifiers to re-send at leastone message with the same identifier and further adapted to compare atleast one re-sent message received with the above-mentioned originalmessages in order to detect messages containing viruses.
 22. A methodfor repelling viruses in computers and data networks, characterized inthat it is carried out in a security system including a first sub-system(1) for forwarding messages and for detecting viruses, which firstsub-system (1) can, with regard to data transfer, be isolated from therest of the system, which method includes the steps where: the functionsof the system are monitored in order to detect a virus (311), a virus(312) is detected when at least one of the following conditions are met:a change takes place in the first sub-system (1) prior to actionscausing changes carried out by the first-mentioned sub-system, a changetakes place in the first sub-system (1) that is not an action taken bythe said sub-system to detect a virus, a message leaves for anothersystem without command from the first sub-system (1), a message leavesfor another system to a wrong address or to a system which nocommunication has been directed to, a message does not leave for anothersystem although it has been sent there, an alarm (316) is given.
 23. Amethod for repelling viruses in computers and computer networks,characterized in that the method has stages where: at least one actionin the system is taken in connection with the forwarding of messages orother action, or in a timed manner, in order to activate a virus (310),the actions of the system are monitored in order to detect an occurrenceinitiated by virus activation (311), an alarm (316) is given when avirus is detected (312).
 24. A method in accordance with claim 23,characterized in that the system running it includes a first sub-system(1) for forwarding of messages and for detecting of viruses, which firstsub-system (1) can be isolated from another system as to communications.25. A method in accordance with claim 23, characterized in that theaction taken to activate a virus is one of the following: altering thetime data, altering the contents of the memory, handling of files or atleast its partial simulation.
 26. A method in accordance with claim 23,characterized in that it is run in a security system including a firstsub-system (1) and a second sub-system (2) in which method theactivation of a virus is detected when at least one of the followingconditions is met: a change takes place in the first sub-system (1)prior to actions causing changes carried out by the first-mentionedsub-system, a change takes place in the first sub-system (1) that is notan action taken by the said sub-system to detect a virus, a messageleaves for another system without command from the first sub-system (1),a message leaves for another system to a wrong address or to a systemwhich no communication has been directed to, a message does not leavefor another system although it has been sent there.
 27. A method inaccordance with claim 23, characterized in that in order to activate avirus, activation measures are combined to take place eithersimultaneously or consecutively in time.
 28. A method in accordance withclaim 23, characterized in that the logic to be used when trying toactivate a virus is one of the following: one defined by the user,pre-programmed or at least partially random logic.
 29. A method inaccordance with claim 23, characterized in that it also includes a stagewhere known viruses (306) are searched for on the basis of theircharacteristics.
 30. A method in accordance with claim 23, characterizedin that in order to isolate data between the first (114) and the second(3) system the method is run in a security system that includes a first(1) and a second (2) sub-system through which sub-systems (1,2) data istransferred between the first (114) and the second (3) system phase byphase, in which phases: the connection for data transfer is disruptedbetween the first system (114) and the first sub-system (1), aconnection for data transfer is established between the first sub-system(1) and the second sub-system (2), the connection for data transfer isdisrupted between the first sub-system (1) and the second sub-system(2), a connection for data transfer is established between the secondsub-system (2) and the second system (3).
 31. An apparatus for repellingviruses in computers and computer networks, which apparatus includesequipment for saving data (610,612) and for handling data (614) andequipment for transferring data (608) with another apparatus,characterized in that the apparatus is adapted to receive a message fromthe said other apparatus and to perform at least one action to activateviruses contained in the message.
 32. An apparatus in accordance withclaim 31, characterized in that the action mentioned is at least one ofthe following: altering the time data, altering the contents of thememory, handling of files or at least its partial simulation.
 33. Anapparatus in accordance with claim 31, characterized in that it isadapted to detect virus activation when at least one of the followingconditions is met: a change takes place prior to actions caused bychanges made by the apparatus, a change takes place that is not anaction taken by the apparatus to detect a virus.
 34. An apparatus inaccordance with claim 31, characterized in that it is adapted to send amessage to either a sub-assembly of the apparatus or to the otherapparatus mentioned, and it is adapted to detect virus activation whenat least one of the following conditions is met: a message leaveswithout authorization from the anti-virus software of the apparatus, amessage leaves for an address it has not originally been directed to, amessage does not leave although it has been given a command to be sent.35. An apparatus in accordance with claim 31, characterized in that itis adapted to combine virus activation measures to take place eithersimultaneously or consecutively in time.
 36. An apparatus in accordancewith claim 31, characterized in that it is adapted to choose as thelogic to be used when trying to activate a virus one of the following:one defined by the user, pre-programmed or at least partially randomlogic.
 37. An apparatus in accordance with claim 31, characterized inthat it is adapted to examine the message mentioned in order to detectknown viruses.
 38. An apparatus in accordance with claim 31,characterized in that it is adapted to monitor its functions in order todetect viru